DORA Gap Analysis Template for UK Financial Firms

Pillar 1: ICT Risk Management Framework

DORA Articles 5–16 require a comprehensive ICT risk management framework. Key gap analysis questions:

• Do you have a Board-approved ICT risk management framework that is reviewed annually?
• Have you identified and documented your ICT assets — hardware, software, data, and third parties?
• Do you have a current ICT risk register with assessed, owned, and mitigated risks?
• Are your information security policies documented and approved by senior management?
• Do you have documented business continuity and disaster recovery plans for ICT systems?
• Gap indicator: If you cannot produce a current ICT risk register on request, Pillar 1 has material gaps

Pillar 2: ICT Incident Reporting

DORA Articles 17–23 require classification and reporting of major ICT incidents. Key gap analysis questions:

• Do you have a documented incident classification methodology that distinguishes major from non-major incidents using DORA's criteria?
• Do you have a procedure for notifying your lead EU regulator of major ICT incidents within DORA's timeframes (initial notification within 4 hours; intermediate report within 72 hours; final report within one month)?
• Do you maintain an incident register covering all ICT incidents regardless of classification?
• Gap indicator: If your incident response plan predates DORA and does not address DORA classification and reporting timelines, Pillar 2 has material gaps

Pillar 3: Digital Operational Resilience Testing

DORA Articles 24–27 require resilience testing proportionate to the firm's significance. Key gap analysis questions:

• Do you conduct annual basic resilience testing (vulnerability assessments, penetration testing, tabletop exercises)?
• If you are a significant entity, have you planned for TLPT (threat-led penetration testing)?
• Do you test scenarios that include cyber attack, third-party failure, and cloud outage?
• Are test results documented, gaps tracked, and remediation completed within agreed timelines?
• Gap indicator: If your last penetration test was more than 12 months ago, Pillar 3 has an immediate gap

Pillar 4: ICT Third-Party Risk Management

DORA Articles 28–44 are the most operationally complex pillar. Key gap analysis questions:

• Do you maintain a register of all ICT third-party service providers with criticality ratings?
• Have you identified critical third-party providers and conducted enhanced due diligence?
• Have you assessed concentration risk from reliance on single cloud or technology providers?
• Do your ICT contracts include DORA Article 30 mandatory provisions (incident notification, audit rights, exit plans)?
• Do you have documented exit plans for all critical third-party providers?
• Gap indicator: If your ICT provider contracts do not include incident notification SLAs and exit strategy provisions, Pillar 4 has material contractual gaps

Pillar 5: Information Sharing

DORA Article 45 encourages voluntary information sharing on cyber threat intelligence. While voluntary, participation demonstrates engagement with the DORA framework:

• Are you a member of any sector-specific threat intelligence sharing arrangement (FS-ISAC, NCSC sharing schemes)?
• Do you have procedures for receiving, assessing, and acting on threat intelligence from information sharing networks?
• Gap indicator: Non-participation in any information sharing is not a compliance breach but represents a missed resilience enhancement

Frequently Asked Questions